ELK 安裝教學｜最新-ELK 8.16.1 版快速安裝

小幫手今天就帶大家一起快速安裝最新的ELK。（以 Ubuntu 系統示範）

下載最新版本 ELK 8.16.1 安裝包

下載 deb 檔，並透過 deb 檔進行安裝：

### Elasticsearch 下載 $ sudo wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.16.1-amd64.deb 
### Logstash 下載 $ sudo wget wget https://artifacts.elastic.co/downloads/logstash/logstash-8.16.1-amd64.deb 
### Kibana 下載 $ sudo wget https://artifacts.elastic.co/downloads/kibana/kibana-8.16.1-amd64.deb

$ dpkg -i elasticsearch-8.16.1-amd64.deb
$ dpkg -i logstash-8.16.1-amd64.deb
$ dpkg -i kibana-8.16.1-amd64.deb

Elasticsearch 設定

8.x 版的 ES 在安裝後，會出現以下的訊息，建議直接使用 ES 幫忙產生的亂數密碼，或是透過訊息上的指令，另行更改之。

--------------------------- Security autoconfiguration information ------------------------------

Authentication and authorization are enabled.
TLS for the transport and HTTP layers is enabled and configured.

The generated password for the elastic built-in superuser is : PeGGS9D*JOt8S3=Tt57*

If this node should join an existing cluster, you can reconfigure this with
'/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <token-here>'
after creating an enrollment token on your existing cluster.

You can complete the following actions at any time:

Reset the password of the elastic built-in superuser with
'/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic'.

Generate an enrollment token for Kibana instances with
 '/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana'.

Generate an enrollment token for Elasticsearch nodes with
'/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node'.

-------------------------------------------------------------------------------------------------

修改 Elasticsearch 的 YML

$ vi /etc/elasticsearch/elasticsearch.yml

### 不同的集群使用不同的 cluster.name
cluster.name: bimap

### 默認是主機名
node.name: ${HOSTNAME}

### 根據路徑修改 可以多個
### 如在data下需新建
path.data: ["/data/es"] 

bootstrap.memory_lock: true
network.host: ${IP}

### 根據主機，可以連接多台，此處以單機模式做演示：
discovery.type: single-node

啟動 Elasticsearch

$ systemctl start elasticsearch
$ systemctl enable elasticsearch
$ systemctl status elasticsearch

驗證是否成功啟動

curl -k -u elastic:${你的密碼} "https://localhost:9200"
{
  "name" : "cluster-test1",
  "cluster_name" : "ELK8-cluster",
  "cluster_uuid" : "mJ6d920ORiytWGZxnYHhlA",
  "version" : {
    "number" : "8.16.1",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "801fed82df74dbe537f89b71b098ccaff88d2c56",
    "build_date" : "2024-01-08T10:05:08.438562403Z",
    "build_snapshot" : false,
    "lucene_version" : "9.8.0",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}

Kibana 設定

修改 kibana 權限

chown -R kibana. /etc/kibana

設定 Kibana yml 檔

$ vi /etc/kibana/kibana.yml

server.port: 5601
server.host: "0.0.0.0"
server.publicBaseUrl: "http://0.0.0.0:5601"

啟動 Kibana

$ systemctl start kibana
$ systemctl enable kibana
$ systemctl status kibana

取得 Elasticsearch Token

$ /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana

開啟 Kibana 介面

開啟瀏覽器，網址列輸入：localhost:5601。

理論上會直接跳出以下畫面，貼上 Elasticsearch Token 即可。

此時會需要回到 Server 產生驗證碼，並回填到 UI 上，例如：

/usr/share/kibana/bin/kibana-verification-code

## 
#Your verification code is:  139 477

kibana 開啟 https 設定

###產生https憑證 
/usr/share/elasticsearch/bin/elasticsearch-certutil ca --pem 
###複製憑證至正確位置
cp /usr/share/elasticsearch/elastic-stack-ca.zip /etc/kibana
cd /etc/kibana 
unzip elastic-stack-ca.zip 
###複製 ES https 以修改權限
cp /etc/elasticsearch/certs/http_ca.crt /etc/kibana/ca  
### 修改權限 
chown -R kibana. /etc/kibana/ca 

編輯 kibana.yml

server.publicBaseUrl: "https://0.0.0.0:5601"
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/ca/ca.crt
server.ssl.key: /etc/kibana/ca/ca.key 
elasticsearch.hosts: ["https://0.0.0.0:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "<password>"
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/ca/http_ca.crt" ]
elasticsearch.ssl.verificationMode: none

### 以下要#起來
#elasticsearch.hosts: ['https://192.168.253.133:9200']
#elasticsearch.serviceAccountToken: AAEAAWVsYXN0aWMva2liYW5hL2Vucm9sbC1wcm9jZXNzLXRva2VuLTE2ODc4NDk5Njk1MDk6QlRRUW1yeVpTeUtSS09aRVZibUJNUQ
#elasticsearch.ssl.certificateAuthorities: [/var/lib/kibana/ca_1687849970463.crt]
#xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: ['https://192.168.253.133:9200'], ca_trusted_fingerprint: a869f16d30c755a8beac2e2c4a3358d39c8746687fd27c0ed76d87a8250f8a5f}]

更改 kibana 密碼，更改跟前面 elasticsearch 相同之密碼。

$ /usr/share/elasticsearch/bin/elasticsearch-reset-password -i -u kibana_system

Logstash 設定

調整 logstash 的 jvm.options，最大 4G(平時不用做調整)

$ vi /etc/logstash/jvm.options
-Xms4g
-Xmx4g

編輯 logstash.service

$ vi /lib/systemd/system/logstash.service

User=root
Group=root

重新載入 Services

$ systemctl daemon-reload

啟動 Logstash

$ systemctl start logstash
### 可以手動啟 (資料太大recover)
### curl -XGET "http://localhost:9200/_cat/recovery?v"
$ systemctl enable logstash
$ systemctl status logstash

滾動式升級 Elasticsearch Node

如何最佳化 Elasticsearch 效能

有任何問題，或是想看新主題?聯絡我們